Findings
Audit findings.
Real bugs, not vibes — the security regressions Sebastion catches in live open-source code. Every finding maps to a CWE and is ranked by severity, then published in the open so you can see exactly what a security-first review surfaces before code ships.
1001 findings across 288 repositories — 80 critical, 364 high, 522 medium, 35 low.
Findings come from automated audit runs across public repositories, grouped by scanner severity. They have not all been individually triaged or acknowledged by maintainers; CVE numbers are assigned only after coordinated disclosure where applicable.
Medium
50 on this pagelangchain-ai/langgraphSQL injection via filter key in SQLite store search queries
CWE-89libs/checkpoint-sqlite/langgraph/store/sqlite/base.py
2026-03-27
mobile-next/mobile-mcpPath traversal in mobile_install_app allows installing from arbitrary filesystem paths
CWE-22src/server.ts
2026-03-27
mobile-next/mobile-mcpUnvalidated bundleId passed to shell commands in uninstallApp
CWE-78src/android.ts
2026-03-27
mobile-next/mobile-mcpFleet device identifier passed directly to command execution without validation
CWE-78src/mobilecli.ts
2026-03-27
mukul975/Anthropic-Cybersecurity-SkillsSQL injection via unvalidated table names in SQLite forensic analyzer
CWE-89skills/performing-sqlite-database-forensics/scripts/process.py
2026-03-27
mukul975/Anthropic-Cybersecurity-SkillsSQL injection via column names in exploiting-insecure-data-storage agent
CWE-89skills/exploiting-insecure-data-storage-in-mobile/scripts/agent.py
2026-03-27
mukul975/Anthropic-Cybersecurity-SkillsXML External Entity (XXE) processing in CIS benchmark parser
CWE-611skills/hardening-linux-endpoint-with-cis-benchmark/scripts/process.py
2026-03-27
openlit/openlitCommand injection via cronId in deleteCronJob
CWE-78src/client/src/helpers/server/cron.ts
2026-03-27
openlit/openlitClickHouse SQL injection via field-values endpoint with allowlisted but unsanitized column expressions
CWE-89src/client/src/app/api/rule-engine/field-values/route.ts
2026-03-27
operacle/checkcleXSS via translation string rendered with dangerouslySetInnerHTML
CWE-79application/src/components/regional-monitoring/RegionalOneClickTab.tsx
2026-03-27
operacle/checkcleHardcoded authentication secrets in test database dump shipped in repository
CWE-798server/core_backend-server/tests/data/data.sqlite-dump.sql
2026-03-27
operacle/checkcleAuthentication tokens stored in localStorage vulnerable to XSS exfiltration
CWE-922application/src/lib/pocketbase.ts
2026-03-27
ruc-datalab/DeepAnalyzePath traversal in file download endpoint
CWE-22API/file_api.py
2026-03-27
ruc-datalab/DeepAnalyzeCommand injection via subprocess in PythonCodeExecutorToolGroup
CWE-78deepanalyze/SkyRL/skyrl-gym/skyrl_gym/tools/python.py
2026-03-27
ruc-datalab/DeepAnalyzeSQL injection in SQLCodeExecutorToolGroup
CWE-89deepanalyze/SkyRL/skyrl-gym/skyrl_gym/tools/sql.py
2026-03-27
wonderwhy-er/DesktopCommanderMCPURL passed to shell builtin 'start' on Windows allows command injection via openBrowser
CWE-78src/utils/open-browser.ts
2026-03-27
wonderwhy-er/DesktopCommanderMCPDevice credentials (access_token, refresh_token) passed as command-line arguments visible in process listing
CWE-200src/remote-device/scripts/blocking-offline-update.js
2026-03-27
zcaceres/markdownify-mcpSSRF bypass via DNS rebinding in safeFetch URL validation
CWE-918src/utils.ts
2026-03-27
zcaceres/markdownify-mcpArbitrary file conversion via filePath parameter in toMarkdown tools
CWE-73src/Markdownify.ts
2026-03-27
FoundationAgents/MetaGPTDynamic module loading from filesystem path in aflow interface
CWE-94metagpt/ext/aflow/scripts/interface.py
2026-03-26
OpenHands/OpenHandsSSRF via GitHub proxy POST endpoint forwarding arbitrary paths
CWE-918enterprise/server/routes/github_proxy.py
2026-03-26
OpenHands/OpenHandsMissing authorization on feedback submission endpoint allows cross-user feedback injection
CWE-862enterprise/server/routes/feedback.py
2026-03-26
OpenHands/OpenHandsDynamic class loading from database column enables arbitrary code instantiation via conversation callbacks
CWE-502enterprise/storage/conversation_callback.py
2026-03-26
OpenHands/OpenHandsSQL LIKE injection via unescaped title__contains parameter in conversation search
CWE-89enterprise/server/utils/saas_app_conversation_info_injector.py
2026-03-26
OpenHands/OpenHandsPath traversal in conversation storage paths via sid parameter
CWE-22openhands/storage/locations.py
2026-03-26
browser-use/browser-usePath traversal in screenshot save and cookie export allows writing to arbitrary file paths
CWE-22browser_use/skill_cli/commands/browser.py
2026-03-26
browser-use/browser-usePath traversal in CLI file upload command allows reading arbitrary files
CWE-22browser_use/skill_cli/main.py
2026-03-26
browser-use/browser-useCookie import from arbitrary file path enables loading malicious cookie data
CWE-22browser_use/skill_cli/commands/browser.py
2026-03-26
browser-use/browser-useLLM-controlled JavaScript injection via callFunctionOn in occlusion check uses unsanitized DOM data
CWE-79browser_use/browser/watchdogs/default_action_watchdog.py
2026-03-26
khoj-ai/khojSSRF in BrowserEnvironment goto action allows navigation to internal URLs
CWE-918src/khoj/processor/operator/operator_environment_browser.py
2026-03-26
khoj-ai/khojSQL Injection via unsanitized DB_NAME in embedded Postgres setup
CWE-89src/khoj/app/settings.py
2026-03-26
khoj-ai/khojArbitrary Python code execution via ast.literal_eval bypass in ComputerEnvironment._execute
CWE-95src/khoj/processor/operator/operator_environment_computer.py
2026-03-26
khoj-ai/khojeval() on LLM-controlled coordinate strings in GroundingAgent (non-UITars)
CWE-95src/khoj/processor/operator/grounding_agent.py
2026-03-26
Marker-Inc-Korea/AutoRAGPickle deserialization of BM25 corpus files allows arbitrary code execution
CWE-502autorag/nodes/lexicalretrieval/bm25.py
2026-03-25
Marker-Inc-Korea/AutoRAGYAML config environment variable expansion can leak secrets via SSRF
CWE-918autorag/utils/util.py
2026-03-25
Marker-Inc-Korea/AutoRAGCLI run_web passes user-controlled paths to subprocess without sanitization
CWE-78autorag/cli.py
2026-03-25
droidrun/droidrunAST-based parsing of LLM output used for action dispatch without full sanitization
CWE-94droidrun/agent/external/autoglm.py
2026-03-25
droidrun/droidrunJinja2 template rendering with user/LLM-controlled variables
CWE-94droidrun/agent/fast_agent/fast_agent.py
2026-03-25
katanemo/planoUnsanitized user-controlled config values passed to subprocess via docker exec
CWE-78cli/planoai/utils.py
2026-03-25
katanemo/planoAuthorization tokens logged to stdout in plaintext
CWE-200cli/planoai/utils.py
2026-03-25
katanemo/planoDaemon PID file race condition allows PID hijacking
CWE-377cli/planoai/native_runner.py
2026-03-25
katanemo/planogRPC trace listener binds on 0.0.0.0 without authentication
CWE-287cli/planoai/trace_cmd.py
2026-03-25
mem0ai/mem0Arbitrary class instantiation via JSON deserialization with __class__ key
CWE-502embedchain/embedchain/helpers/json_serializable.py
2026-03-25
open-webui/open-webuiSQL injection risk in SQLCipher PRAGMA key via DATABASE_PASSWORD environment variable
CWE-89backend/open_webui/internal/db.py
2026-03-25
open-webui/open-webuiSSRF via user-controlled code execution forwarding to arbitrary Jupyter endpoint
CWE-918backend/open_webui/routers/utils.py
2026-03-25
open-webui/open-webuiStored XSS via unsanitized HTML in notes PDF generation (client-side)
CWE-79src/lib/components/notes/utils.ts
2026-03-25
1Panel-dev/MaxKBOS command injection risk in sandbox initialization via config values
CWE-78apps/common/utils/tool_code.py
2026-03-24
1Panel-dev/MaxKBWeak password hashing using unsalted MD5
CWE-327apps/common/utils/common.py
2026-03-24
QwenLM/Qwen-AgentShell command injection via os.system() with unvalidated paths in benchmark
CWE-78benchmark/code_interpreter/inference_and_execute.py
2026-03-24
QwenLM/Qwen-AgentSSRF via user-controlled URL in save_url_to_local_work_dir
CWE-918qwen_agent/utils/utils.py
2026-03-24